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® Method of software protection. 

® A cryptographic method for discouraging the copying 
and sharing of purchased software programs allows an en- 
crypted program to be run on only a designated computer or. 
altematvety. to be run on any computer but only by the user 
possessing a designated smart card. Each program offering 
sokJ by the software vendor ts encrypted with a unique file 
key aruJ then written on a diskette. A user who purchases a 
diskette having written thereon an erx^rypted program must 
first obtain a secret password from the software vendor. This 
password will allow the encrypted program to be recovered at 
a prescribed, designated computer having a property imple- 
mented and initialised erwryption feature. The encryption fea- 
ture decrypts the file key of the program from the password, 
and when the encrypted program is loaded at the proper 
computer, the program or a portkm of it is automatically 
decrypted and wntten into a protected memory from which it 
can oniy be executed and not accessed for non-execution 
^purposes. In alternative emtxxiiments. the user is not con- 
^ fined to a prescribed, designated computer but may use the 
program on other, different computers with a smart card 
*2 provided the computers have a property implemented and 
^ initiaJised encryption feature that accepts the smart card. As a 
further modification, the cryptographic facility may support 
^operations that enatrte the user to encrypt and decrypt user 
0> generated files and/or user generated programs. 
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METHOD OF SOFTWARE PROTECTION 



This invention is directed to methods of software pro- 
tection and, more particularty to a cryptographic method for 
discouraging the copying arxl sharing of purchased software 
programs by allowing an encrypted program to be run on 
oniy a designated computer or. altemattvely, to be run on 
any computer but oniy by the user possessing a designated 
smart card. 

With the proliferation of so-called micro computers or 
personal computers, there has been an explosion in the 
writing and publishing of software for these computers. The 
investment in time and capital in the development of a good 
software program can be substantial, and in order to recoup 
this investment the authors, copyright owners and/or pub- 
lishers must rely on royalties and the amortization of costs 
produced by the sale of the programs. Since programs are 
generally distributed on inexpensive floppy diskettes, the 
end user often does not appreciate the substantial costs in 
the production of the programs. Moreover, the disk operat- 
ing systems of most micro computers feature a disk copy 
utility which enables the end user to easily make back up 
copies of program diskettes. The result has been misuse of 
the utility to make unauthorised copies. For example, two or 
more potential end users desiring a program may pool their 
resources and buy one copy of the program and then 
duplicate both the program diskette and the copyrighted 
manual that accompanies the program diskette. As another 
example, a sniall business having several micro computers 
may buy a single copy of a program and then duplicate the 
program diskette and manual in order to distribute copies to 
each micro computer station in the company. Both of these 
examples are clear violations of the copyright laws, but 
searchir>g out the prosecuting violators is often impossible. 
The net result is a substantial loss of revenues to software 
authors and publishers. These revenues are needed in 
order to finance the development of new and improved 
software programs as well as to provide a reasonable profit 
to those who produced the programs that are copied with- 
out authorisation. 

The problem of unauthorised copying and use of pro- 
grams has been addressed by the prior art US-A- 
4.120.030 to Johnstone discloses a computer software 
security system wherein the data address portions of a set 
computer instructions are scrambled in accordar)ce with a 
predetermined cipher key before the instiijctions are loaded 
into an instruction memory. The data involved in the pro- 
gram ts loaded into a separate data memory at the ad- 
dresses specified in the original, unscrambled program. An 
unscrambler circuit, which operates in accordance with the 
cipher key, is coupled in series with the data memory 
address input conductors. 

US-A-4, 168,396 to Best discloses a microprocessor 
for executing computer programs which have been enci- 
phered during manufacture to deter the execution of the 
programs in unauthorised computers. US-A-4 ,278. 837 to 
Best discloses a crypto-microprocessor chip that uses a 
unique cipher key or tables for deciphering a program so 
that a program that can be executed in one such chip 
cannot be run in any other microprocessor. US-A- 
4,433.207 to Best discloses an integrated circuit decoder 
for providing micro computer users with access to several 
proprietary programs that have been distiibuted to users in 
cipher. The decoder chip can decipher a program if an 
enciphered key called a "permit code" is presented to the 
decoder chip. 



US-A-4,446,519 to Thomas discloses a method for 
providing security for computer software by providing each 
purchaser of a software package with an electronic security 
device which must be operatively connected to the pur- 
5 chaser's computer. The software sends coded interrogation 
signals to the electronic security device which processes 
the interrogation signals and ti'ansmits coded response sig- 
nals to the software. The programs will not be executed 
unless the software recognises the response signals accord- 
to ing to preselected security criteria 

The various schemes disclosed by these patents re- 
quire specialised and dedicated hardware for accomplishing 
the security feature. Generally, these schemes are cum- 
bersome and expensive to implement and therefore not 
75 commercially acceptable. What is needed is a software 
protection scheme which is simple and inexpensive to im- 
plement avoiding, in its simpler forms, the need for 
specialised and dedicated hardware, but still able to be 
extended by the use of additional hardware and which is 
20 attractive to a large numt»er of diverse software publishing 
houses. 

Therefor, according to the present invention, there is 
provkSed. as the core method, a method of software protec- 
tion comprisir>g the steps of encrypting each protected pro- 

25 gram of a program offering for sale or lease with a unique 
file key and writing the encrypted program on a storage 
medium as a program file, providing a computer having a 
protected memory and a cryptographic facility, witii a secret 
unique cryptographic key identifier, providing a 

30 purchaser/lessee of the storage medium containing the en- 
crypted program witii a secret password unique to the 
particular program and said cryptographic key identifier, 
whereby, when said medium is loaded into said computer 
and said secret password is entered thereinto, said program 

35 becomes executable after at least a portksn of the program 
has been decrypted in said cryptographs facility as a 
function of said secret password. 

Such a software protection scheme is inexpensive to 
implement and is essentially transparent to the end user so 

40 that it does not detract from the commercial appeal of the 
software program. It can be arranged to allow copying of 
r>rogram diskettes to a hard disk or for purposes of making 
backup copies yet limit the simultaneous beneficial use of 
multiple copies to one or more designated computers or, 

45 altemativety, limit the use to one unique, rwxi-reproducible 
and portable device or. alternatively, to be run on any 
computer but only by the user possessing a designated 
smart card. 

Put another way. ideally in this arrangement, each 
50 program offerir^g sold t>y a software vendor is encrypted 
with a unique file key and then written on the diskette. A 
user who purchases a diskette containing an encrypted 
program must first obtain a secret password from the soft- 
ware vendor. This password will allow the encrypted pre- 
ss gram to be recovered at a prescribed, destgr^ted computer 
having a property implemented and initialised encryptton 
feature which may be stored in Read Only Memory (ROM), 
for example. As part of an initialisation process, when Uie 
program is first loaded, it polls the user to Input the pass- 
60 word. The password is written by the program in the header 
record of the file, and once written in the header record, the 
program will not prompt the user to input his or her pass- 
word on subsequent uses of the program. When tiie dis- 
kette is toaded at the proper computer, the encrypted pro- 
65 gram or a contiDlting portion' of it is automatically decrypted 
and written into a protected memory from which it can only 
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be executed and not accessed for non -execution purposes. 
In an alternative embodiment* the user is not confined to a 
prescribed, designated computer but may use the program 
on other, different computers provided that such computers 
ifxxMporate a smaa card, A smart card as defined herein is 
one having a crypto capability, typically implemented by 
incorporating a micro-circuit on the card. The smart card is 
issued to the user when the user purchases a computer. 
The smart card is preinitialised by the computer manufac- 
turer with a secret parameter unique to that card. The 
procedure is similar except that in this case, the password 
used in conjunction with the smart card allows the user to 
decrypt and execute the program on any computer having a 
property imp*enr>ented and initialised encryption feature. The 
smart card embodiment can be further modified to allow 
portability with a combination of both a Public Key <PK) 
algorithm and the Data Encryption Standard (DES) algo- 
rithm. In this case, the designated public registry (key 
distribution centre) additionally persof\alises the card with 
the public key of the computer manufacturer as well as a 
unique secret card key (the DES key). When a customer 
buys software, the customer automatically obtains a per- 
sonalised intelligent secure card (sman card). Each different 
program recorded on the diskette is encrypted unoer a 
different file key desigr^ated by the supplier of the software. 
The customer then obtains an authorisation number and 
password from the software vendor, as before. The pass- 
word is written in the header of the file on the diskette. The 
computer is also personalised with a unique key pair, a 
public computer key and a secret computer key. However, 
the public computer key is first decrypted under the secret 
key of the computer manufacturer and stored in the com- 
puter in that form. When the program diskette Is used, there 
is a handshake protocol t>etween the smart card and the 
computer whk:h, in effect, recovers the file key and enci- 
phers it under the publk; key of the computer. This protocol 
is such that the handshake will work only at a suitable 
computer with a public key algorithm and a property In- 
stalled key pair, i.e, a secret computer key and a public 
computer key decrypted under the secret key of the des- 
ignated putriic registry. The advantage to this approach is 
that the file key can be encrypted using a public key, and it 
is rK5t necessary for a universal secret DES key to be 
stored on each snr^art card. The protocol for password 
generation and distribution is unaffected by the modification 
to the internal protocol: i.e.. it is the same for the DES only 
smart card as for the DES/PK smart card. 

The present invention will be descritDed further, by way 
of example, with reference to embodiments thereof, as 
ilustrated in the accompanyir>g drawings, in which: - 

Figure 1 is a block diagram of an overview of one form of 
system according to the invention, whtch does not involve 
the use of a smart card: 

Figure 2 is an illustration of a program diskette format 
compatible with the system of Figure ^ : 

Figure 3 is a flow diagram illustrating the password genera- 
tion key management associated with the system of Figure 



Figure 4 is a flow diagram illustrating the operation of the 
computer cryptographic facility key management associated 
with the system of Figure 1 ; 
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card; 

Figure 6 is a flow diagram illustrating the password genera- 
tion key management associated with the system of Figure 
5; 

Figure 7 is an illustratkDn of a program diskette format 
compatible with the system of Figure 5; 

Figure 8 is a flow diagram illustrating the operation of the 
computer cryptographic facility key management associated 
with the system of Figure 5 and using the DES algorithm; 

Figure 9 is a flow diagram illustrating the operation of the 
sman card using the DES algorithm; 

Figure 10 is a ftow diagram illustrating the generation of 
program diskettes by a software vendor 

Figure 1 1 is a block diagram of the components internal to 
a computer whk:h incorporates the cryptographk: facility 
required in ttie practice of the present invention; 

Figure 12 is a block diagram showing the basic components 
of a sman card usable in some embodiments of the inven- 
tion; 

Figure 13 is a flow diagram illustrating the operation of the 
computer cryptographk: facility key management with the 
smart card using the DES/PK algorithm; 

Figure 14 is a flow diagram illustrating the operation of the 
smart card using the DES/PK algorithm; 

Figure 15 is a flow diagram illustrating a first operation of 
the cryptographic facility which derives a file key from user 
input parameters; 

Figure 16 is a flow diagram illustrating a second operation 
of the cryptographic facility which causes a random numtjer 
to be generated; 



Figure 17 is a flow diagram illustrating a third operation of 
the cryptographic facility which uses a password from a 
45 smart card and a random numt^er to derive a file key to 
decrypt a program; 

Figure 18 is a flow diagram illustrating a fourth operation, 
similar to the first, of the cryptographic facility for generating 
SO a file key using a different aJgonthmic procedure than used 
in the first operation; 

Figure 19 is a flow diagram illustrating a fifth operation, 
similar to the second, of the cryptographic facility tor gen- 
erating a file key using the same algorithmic procedure as 
used in the forth operation; 



Figure 20 is a flow diagram illustrating a sixth operation of 
the cryptographic facility for generating a file key from user 
60 input parameters (or encrypting data: and 

Figure 21 is a flow diagram illustrating a seventh operation 
of the cryptographic facility which accepts a password from 
a smart card for generating a file key for encrypting data. 

65 



PiguTB 5 is a Wock diagram of an overview of another form 
of system according to the invention which uses a smart 
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In the description which follows, the notations "e" and 
"d" are used to denote encrypted and decrypted, respec- 
tivety. For example. ''ePKt(KF)'' means the key KF is 
encrypted under the key PKt Similarly, '•dSKu(PKt)" 
means the key PKt is decrypted under the key SKu. Also, 
the term "personal computer" is intended to cover so-called 
"smart terminals" which may include personal computers 
connected to a main frame computer in the network. 

Referring now to the drawings and more particularly to 
Figure 1, there is shown an overview of the first embodi- 
ment of the invention. The system according to this embodi- 
ment comprises a personal computer io having a crypto 
protected storage facility 101. Each program offering 12 
sold by the software vendor is encrypted with a unique file 
key. KF, arxJ then written on the diskette. The format of the 
diskette is generally shown in Figure 2. One type of cryp- 
tographic niethod that may be used is a cipher block 
chaining technique which requires an initialising vector. If 
desired, different initialising vectors using the same file key, 
KF, can be used to encrypt the same program written on 
different diskettes. This ensures that different cipher text is 
produced for each diskette and prevents differences in the 
plain text from being observed by comparing the corre* 
spending cipher text The initialising vector is written in the 
header record on the diskette. 

A user, who purchases a diskette containing an en- 
crypted program, must first obtain a secret password from 
the software vendor. This password will allow the encrypted 
program to be recovered at the prescribed, designated 
personal computer 10 having a property implemented and 
initialised encryption feature. The secret password allows 
the particular program to be decrypted, and thus executed, 
only on a particular personal computer. This secret pass- 
word is unique to the particular program and computer 
where it is to be recovered and executed. The password 
will not allow other encrypted programs to be recovered on 
that computer, nor will it alfctw that same encrypted program 
to t>e recovered on a different computer. Optwnaily, the 
user could be given a second password that wouW allow 
the encrypted prt)gram to be recovered on a designated 
backup computer. Except for the t>ackup computer, the user 
would ordinarily be expected to pay an extra fee for each 
additional password that would allow the encrypted program 
to be recovered on a drfferent computer. 

Each diskette has a unique serial number written on 
the diskette envelope or outer cover (not shown) and visible 
to the user. As shown in Figure 2, this serial number is also 
recorded in the header record of the diskette. Also recorded 
in the header of the diskette is the program number. In the 
specific example shown in the figure, the program number is 
"12" and the serial number or diskette number is "3456". 
A multi-digit authorisation number is obtained by encrypting 
the program number and diskette serial number, concat- 
enated together, under a secret cryptographic key available 
to and known only by the software vendor. An n-bit portion 
of the authorisation numfc»er is also written on the diskette 
envekDpe except that it is covered by a thin metallic film 
much like that used by the instant lotteries to hide numbers 
on lottery cards. Where n is equal to 16, for example, there 
are 65.536 possible numt>ers for the portion of the 
authorisation numt)er written on the diskette envelope and 
therefore, one would have only a chance of one in 65.536 
of accidently guessing a correct number written on the 
diskette envelope. 

When a password is requested, an authorisation num- 
ber of reference is generated in the same manner as that 
for generating the authonsation number. For each password 
initially issued, a record is made in a data base that this is a 



first use of the authorisation number of reference in the 
process of issuing the password to a requesting user, and a 
record is also made of the password which is issued. 
Therefore, for each request of a password, a first use check 
5 is made to determine whether the authonsation number of 
reference has been previously used for generating the pass- 
word. 

The procedure is illustrated in Figure 3. After purchas- 
ing a diskette, the user places a telephone call to the 

10 software vendor. It is assumed that the user will not accept 
a diskette whose authorisation number has been exposed, 
i.e. where the metallic film has been scratched off. The 
customer provides the software vendor with the program 
numtjer, the n-bit portion of the authorisation numtjer, the 

75 diskette senal number, and the computer number. Each 
computer 10 has a unique identification or number that is 
provided on the cover, for example, by a press-on lat)el 
visible to the user. This identification or number is asso- 
ciated with the secret key of the crypto facility of the 

20 computer. The program number and the diskette serial 
number are loaded into register 20. Recall that for the 
specific example shown in Figure 2, these numbers are 
"12" and "34-56". respectively. Then in block 21. the 
software vendor simply encrypts the provided program num- 

25 ber and diskette serial number, concatenated together, with 
a special secret key, SK, used only to generate mutti-digit 
authorisation numbers. The n-btt portion of the authorisation 
numbers written on the diskenes are produced with the 
same encryption technique. The multi-digit authorisation 

30 number or reference is first checked in the software ven- 
dor's database to determine if the authorisation number has 
been used before. Alternatively, the software verxlor could 
perfomn this check using the program number and diskette 
serial number. In this case, the software vendor simply 

35 records the program number and diskette senal number in 
his data base whenever a password has tDeen issued for 
those numbers. If the authorisation number or the program 
number and diskette serial number have been used before, 
the software vendor knows that a password has been 

40 issued for that program number and diskette serial number 
and that this password has been recorded in his data base. 
In that case, the password is retrieved and reissued to the 
caller. This process is represented by btock 22 in Figure 3. 
On the other hand, if the result of this process indk:ates a 

45 first use, then in block 24 the designated n-bit portion of the 
authorisation number of reference produced in block 21 is 
compared with the n-bit portion of the authorisation number 
provided by the caller. If a match is obtained, the software 
vendor generates a special password that will allow the 

60 encrypted program to be decrypted and executed at the 
designated computer. To accomplish this, the software ven- 
dor forwards an electronic message to the key distribution 
centre 14, passing the program number, diskette serial 
number an6 computer number. The key distributon centre 

55 14 encrypts the computer numt^er with a key, KT. in 
encryption block 26 to produce an encryption key,eKT(TR), 
unique to that particular computer. Alternatively., the key 
eKT(TR) could t>e obtained from a table of stored keys. The 
program number and the diskette serial number in register 

60 28 are then encrypted in encryption block 30 with the key 
eKT(TR) to produce a cryptographic key unique to the 
program and computer. In the example illustrated, this cryp- 
tographic key is eKT{PGl 23456). The key distribution cen- 
tre 14 then retums the cryptographic key to the software 

65 vendor. To further enhance the security of the system, 
encryption can be used between the software vendor and 
the key distritxjtion centre to pnDtect the secrecy of the 
cryptographic key. 
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Meanwhite, tne software vendor has obtained from its 
database the file key, KF, corresponding to the program 
number provided by the caller as indicated by table 32. 

The key KF is then encrypted in encryption block 34 
with the cryptographic key retumed by the key distribution 
centre 14 to generate the requested password. The gen- 
erated password is then given to the caller. Passwords may 
be, for example, 64-bits kDng and therefore cannot be 
guessed a derived from other information available to the 
calter. As a last step, the software vendor now makes a 
record in his data base that this is the first use of the 
authorisation number of reference in the process of issuing 
the password to a requesting user, and he also records the 
calculated password in his data base. 

As part of the initialisation process, when the program 
is loaded in the computer 10, it polls the user to input the 
password. The password is written by the program in the 
header record of the file as shown in Figure 2, and once 
written, the program will not prompt the user to input his or 
her password on subsequent uses of that program. For 
example, a protocol could operate such that the computer 
always reads the header of the diskette looking for a 
recorded password. If no password is found, it prompts the 
user to enter the password and then writes the password in 
the header. If the password is found in the header, the 
computer uses this password in lieu of prompting the user 
to errter a password. The user could also be provided with 
an override to enter the password in case the password 
recorded in the header fails to produce the correct file key, 
KF; i.e.. the encrypted file is not recovered property with the 
recovefBd key KF. Note that from the software vendor's 
viewpoint the password need not be kept secret since it 
does not unkx:k other er>crypted programs. 

Optionally, the procedure for issuing passwords at the 
software vendor could be fully automated by using a voice 
answer back system in conjunction with a multi-frequency 
tone input For example, the caller would be prompted to 
enter the appropnate numbers using the multi-frequency 
tone keyboard on a telephone. an6 these numbers would be 
repeated to the user for verification. If a proper authonsation 
number ts given, an electronic message is sent to the key 
distribution centre 14 to obtain the necessary cryptographic 
key. This message is used to calculate the password which, 
in turn, is repeated to the caller using the automated voice 
system. The process of obtaining the password from the 
software vendor could t>e automated still furtf>er by initiating 
a communications session between an initialisation program 
in the personal computer 10 and a password distribution 
program located in the computer system of the sofhvare 
vendor. In this case, the user wouW call the 800-number 
and initiate the session. The program number and diskette 
senal number could be read from the header record of the 
diskette where they have been written by the software 
vendor. The computer number could be stored within the 
system and provided automatically also. The user would be 
prompted at the appropriate point in the session to enter the 
authorisation number through the keyboard. The obtained 
password wouW be written automatically to the header 
record of the diskette file. 

If necessary, the user can contact the software vendor 
at any later time to re-receive his or her password. To do 
this, he supplies only the program number and diskette 
serial numt)er, which is enough information to allow the 
software vendor to determine that a password has already 
been issued for that pair of numbers and to recover the 
password value which has been recorded previously in his 
<teta base. In essence, the caller ts given an already cal- 



culated password for any program number and diskette 
senal number in the vendor's database. This option does 
not weaken the system but merely makes it more usable by 
end users. 

S When the diskette is loaded at the proper computer 1 0. 

the encrypted program or a portion of it is automatically 
decrypned and written into a protected memory iOi from 
which it can only be executed and not accessed for non- 
•execution purposes. This is shown in Figure 4 where the 

10 cryptographic facility 101 of computer 10 reads password, 
program numtier and diskette senal number from the file 
header. The program number and diskette senal number 
concatenated together are erx:rypted in encryption Wock 
103 with the encryption key for that particular computer to 

T5 produce a decryption key which is used in decryption block 
105 to decrypt the password and produce the secret file 
key, KF. that is used in decrypting the prtDgram or a portion 
of the program. The procedure used is the Data Encryption 
Standard (DES). Note that onfy the designated computer is 

20 capable of generating the decryption key wtiat will produce 
the file key. KF. 

Turning now to Figure 5. there is shown an alternative 
embodiment whK^h is an extension of the first to allow 
portability of an encrypted program try rueans of a smart 

25 card 16. In this embodimerTt. when the user purchases a 
computer, the user is also issued with a smart card 1 6 that 
is pre-initialised by the computer manufacturer with a secret 
parameter unique to that card. A user, who purchases a 
diskette containing an encrypted program, also- obtains a 

30 secret passwonj from the software vendor as before, except 
here, the password is used in conjunction with the smart 
card to altow the user to decrypt and execute the program 
on any personal computer having a property implemented 
and inrtialised encryption feature. 

35 The process is iilustrated in Figure 6. To obtain the 

secret password, in this case, the user provides the smart 
card numt)er rather than the computer number. Each smart 
card has a unique identification or card numt>er that can t>e 
read by the user. If tiie authorisation number is valid and 

40 another request has not been made for that program num- 
ber and diskette serial number as indicated by the compare 
blocks 22 and 24, the software vendor generates a special 
password that wilt allow the encrypted program to t>e de- 
crypted at any personal computer with a valid encryption 

45 feature when used with that smart card. Again, the software 
verKJor obtains a unique cryptographic key from the key 
distribution centre 14 which is used in conjunction with the 
secret file key to generate the requested password. In this 
case, the key disttibution centre 14 is owned, controlled or 

50 established under the direction of the computer manufac- 
turer and uses the card numtjer to obtain a corresponding 
card encryption key, KP. from table 27. Alternatively, the 
key KP can be generated from a secret key bekDnging to 
the key distribution centre in a similar manrw as the eKT- 

55 (TR) keys are generated using secret key KT as shown in 
Figure 3. This encryption key is then used to encrypt the 
program numtwr arKl diskette senal number in encryption 
block 30 to produce tfie cryptographic key that is retumed 
to the software veruJor. As before, the security of the 

60 system can be enhanced by using encryption between the 
key distribution centre and the software vendor to protect 
the secrecy of the communicated keys. Otherwise, the 
protocol ts the same as that for the first embodiment. The 
password is written in the header record of the diskette as 

65 illustrated in Figure 7. The same options are available for 
automating the process at the software verxlor. Likewise, an 
init»al»sation program in the persor^ conriQuter ^0 can be 
used to automatically obtain the password from the software 
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vendor, except here the smari card number must be en- 
tered instead of the computer number. The smart card 
number could be read from the smart card or from a 
location in the computer where it had been previously 
stored. 5 

When the diskette is loaded at any authorised com- 
puter and the smart card 1 6 has been inserted into a proper 
reader device allowing the card and computer to carry on 
an electronic dialogue, the encrypted program is automati- 
cally decrypted and written into the protected memory 101 to 
from which it can only be executed. More specifically, as 
shown in Figures 8 and 9, the computer 10 reads the 
program number, diskette serial number and password from 
the file header and passes these with rts computer number 
to the smart card 16, In the smart card 16. the computer 75 
number is encrypted in encryption block 161 with a univer- 
sal key, KT stored on every smart card. The program 
number and diskette serial number are errcrypted in encryp- 
tion block 162 with a key KP which is unique to and stored 
in the smart card. The output of encryptwn bkx;k 162 is a 20 
decryption key that is used by decryption block 163 to 
decrypt the password to produce the secret file key, KF. 

Meanwhile, the cryptographkj facility 101 of computer 
10 produces a random number T using a random number 
generator 107 or the system clock. As part of the interrtal 25 
protocol interchange between the computer 10 and the 
smart card 16, the random number T is passed to the smart 
card where it is exclusive ORed with the file key, KF. The 
resulting output is encrypted in encryption block 164 with 
the output of encryption block 161 to produce a computer 30 
password that is then passed back to the computer. This 
computer password is then decrypted in decryption block 
109 using a key unique to the computer. The output of 
decryption block 109 is exclusive ORed with the random 
number T to produce the secret file key, KF. Note that 35 
passwords generated by the card are time variant If inter- 
cepted and replayed back into the computer at a later time, 
they will not allow another copy of the encrypted program 
on a different diskette to be decrypted and executed. 

Figure 10 shows the process of generation of program 40 
diskettes. First a dear diskette 36 containing the program is 
supplied by the software vendor to the software distributer. 
The software distributer then er>crypts the program in en- 
cryption block 38 using a key KF to produce and encrypted 
diskette 40. The key KF could be common to a program or 46 
unique for each diskette. The encrypted diskette is then 
copied with a disk copier 42 to produce encrypted diskettes 
44 for sale to users. Obviously, in the process illustrated* 
the software distributer and the software vendor could be 
one aruJ the same. 50 

Figure 11 shows the cryptographic facility 101 in the 
personal computer 10. The cryptographic facility is a secure 
implementation containing the Data Encryption Standard - 
(DES) algorithm and storage for a small number of secret 
keys. It can be accessed togically only through inviolate 55 
interfaces secure against intrusion, circumventksn and de- 
ception which allows processing requests via a control Iine» 
key and data parameters to be presented, and transfomr>ed 
output to be received. The cryptographic facility compnses 
a ROM, such as an EAPROM (Electronically Alterable and 60 
Programmable Read Only Memory), 113 that contajns the 
computer key. Additional ROM 114 contains programs for 
key management sequence generators and disk loader. 
Additional Random Access Memory (RAM) 115 contains a 
parameter output buffer, a parameter input buffer, intermedi- 65 
aie storage for parameters, data and keys, and additional 
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storage for the decrypted programs. The RAM 115 is the 
protected memory of the cryptographic facility 101, and 
decrypted programs stored here can only be executed and 
not accessed for non-execution purposes. 

Figure 1 2 shows the basic compor>ents of a smart card 
used in certain embodiments of the invention. The smart 
card must contain a microprocessor chip 165 for executing 
the crypto algorithm. Further, the card is provided with 
memory for stonng the key KP and card number. The key 
KP, which is unique to the card and kept secret is stored in 
private memory 166, while the card number is stored in 
public memory 1 67. Power for the microprocessor chip and 
supporting memories is derived from the computer 10. 

The descritDed protocol allows other software vendors 
to market encrypted programs that will operate with a 
personal computer or with a personal computer and smart 
card with no k5ss of security to protected software or the 
secret keys or parameters that support the system. To 
interface to the system, it is only necessary for the software 
vendor to forward an electronic message to the key distribu- 
tion centre, passing the program numtjer and computer 
number or, in the case of an implementation supporting 
smart cards, passing the program number and smart card 
number. The key distribution centre returns a cryptographic 
key unique to the program number and computer number or 
smart card number which the software vendor used in 
conjunction with the secret file key under which the program 
has been encrypted to generate the required password. To 
ensure that the same key is not produced by two different 
software vendors who have two different programs with 
identical program numbers, the protocol can be modified 
slightly by assigning a unique two or three digit code 
number to each software vendor and then merely redefining 
the program number to consist of the software vendor code 
number foltowed by the software vendor defined program 
number, i.e. by as many digits as are necessary to distin- 
guish different programs offered by t^tat software vendor. 
Thus, the program number and diskette serial number used 
in calculations is replaced by vendor number, program 
number and diskette serial numt>er. 

Referring now to Figures 13 and 14. as already alluded 
to. the second embodiment of the invention using the smart 
card can be extended using a public key algorithm. More 
specifically, a public key (PK) algorithm is also installed in 
the smart card and computer in addition to the DES al- 
gorithm. The advantage of doing this is that the protocols 
for the three techniques are very similar. Introductran of the 
PK algorithm does not affect the password 
generation/distribution process described with reference to 
Figure 6. In this embodiment the main advantage of the PK 
algorithm is achieved, namely that a universal secret key 
need not be stored on the smart card. The card manufac- 
turer personalises the card with the key KP. The manufac- 
turer also personalises the card with PKu, the public key of 
the registry. When a customer buys software, s/he auto- 
matically gets a personalised smart card. Each different 
program recorded on a diskette is encrypted under a dif- 
ferent file key. KF, designated by the supplier of the soft- 
ware. When a customer buys a program on a diskette, the 
customer mails a proof of purchase coupon to the vendor 
atong with his or her name and the serial number from his 
or her smart card. In lieu of this, the proof of purchase 
coupon contains an authorisation number that must be 
scratched clear as previously described. The numbers are 
sparse such that no one could easily guess a number thai 
represents a valid authorisation numtjer. The customer calls 
the vendor and asks for a speaal password to activate his 
or her diskette. This number is given out only after the proof 
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Of purchase authonsation number has been supplied and 
checked against an active online file to make sure that no 
one has already used the number. If all conditions are 
satisfied, the vendor asks for the customer's card number 
and uses this to access another active online file to obtain 
the key. KP, associated with the smart card as described 
with reference to Figure 6. The vendor then enciphers the 
file key, KF. of the purchased program and gives this 
number to the customer as a password. The customer then 
goes to his or her computer and causes the password to be 
written in the header of the file on the diskette as previously 
described. As shown in Figure 20, the header of the dis- 
kette has stored therein the password eKP(PGl23456{KF) 
where KF is the secret file key of the program. Thus, to this 
point the procedure is similar to that described with respect 
to the smart card/DES only algorithm. 

The computer manufacturer personalises the computer 
with a unrque key pair, the computer public key. PKt, and 
the computer secret key, SKI The computer manufacturer 
has the pubic key of the computer recorded in a puWic 
registry. In effect, this means that PKt is stored in the form 
dSu(PKt). where SKu is the secret key of the registry and 
PKt is the public key of the computer. This value dSu - 
(PKt) is also stored in the computer. 

To use a diskette at any computer, there is a hand- 
shake protocol used between the smart card 16 and the 
computer 10 which, in effect recovers the file key, KF. from 
encTpherment under the key KP and enciphers it under the 
public key, PKt, of the computer. More specifically, the 
puttie key. PKt, of the computer 10 in the form dSu(PKt) is 
encrypted in encryption block 161 with the public key of the 
reoistry, PKu, to produce the public key. PKt of the com- 
puter. The notatwn dSu (PKtO) nr^eans that the putiiic key 
PKt with several redundancy brts (0 bits in this case) 
concatenated with it is decrypted under the secret key SKu. 
SKu is the secret key belonging to the computer manufac- 
turer. The redundancy bits are added to the message so 
that upon decryption, one can ensure that no spurious text 
is decrypted and used as the key PKt Ordinarily. 16 to 64 
bits of redundancy is enough. As a result of these redun- 
dancy bits, the output of encryption block 161 must be 
checked to ensure that the redundancy bits compare with a 
prestored constant value. If they do, then one can be 
certain that the recovered PKt is the public key of some 
computer manufactured tiy the computer manufacturer. This 
ensures that an opponent can not get a smart card to use a 
puWic key PKt except one issued by the computer manu- 
facturer. Of course, it will be recognised by those skilled in 
the art that the block with the redundancy bits will typically 
be kxiger that the publk: key PKu whrch will necessitate 
spiittirtg the block and performing the encryption process 
under PKu using chaining techniques well known in the art 
The program number read from the diskette is also 
encrypted with the key KP in encryption block 162 to 
generate the key eKP(PGi 23456) which is used to decrypt 
the encrypted key KF in decryption block 163. The output 
Of decryption block 163 is exclusive ORed with a random 
number T pnxJuced by random number generator 107, and 
the result is encrypted in encryption block 164 with the key 
PKt to produce the secret file key. KF. exclusive ORed with 
the random number T encrypted under the public key of the 
computer, PKt This password is passed by the smart card 
16 to the cryptographic facility 101 of the computer lO 
where it is decrypted in decryption block 105 using the 
secret key, SKt of the computer and then exclusive ORed 
with the random number T, The file key. KF. is now in a 
torm that can be used at the computer. The protocol is 



such that the handshake will work only at a suitable com- 
puter with a public key that has been property recorded m 
the registry. i,e. for which PKt has been deciphered under 
the secret key of the registry. 
5 The advantages of the mixed public key and DES 

embodiment are several. No secret universal key needs to 
be stored on the card since all universal keys used in the 
system are public keys. Even if the file key. KF. is discov- 
ered, there is no way for an adversary to cause a clear key 
10 to be accepted by the card. The value T sent from the 
computer prevents an adversary from tapping the interface 
to obtain the encrypted key KF and replaying it into a 
computer. If it were easy to input parameters across the 
interface from a dumnry card, such an attack is thwarted by 
15 incorporating the value T. 

The described protocol allows software vendors to 
market encrypted programs that will operate with a particu- 
lar computer and smart card with no loss in security to the 
protected software of a given vendor or the secret keys or 
20 parameters that support the system. To interface to the 
system, it is only necessary for the software vendor to 
forward an electronic message to the key distribution centre, 
passing the program number and computer number or. in 
the case of an implementation supporting smart cards. 
25 passing the program number and smart card number. The 
key distribution centre returns a cryptographic key unique to 
the program number and computer numt>er or smart card 
number. The software vendor uses this cryptographic key in 
conjunction with the secret file key under which the program 
30 has been encrypted to generate the required password. 

The cryptographic facility 101 supports a limited set of 
cryptographic operations for key management purposes. 
These operations are controlied by seven microcode rou- 
tines stored in ROM and initiated by decoding of an opera- 
35 tk)n code conresponding to a specific operatkjn. The first of 
the seven operations is illustrated in Figure 15 of the 
drawings. With no smart card, the first operatk^n is decoded 
in operatkwi control unit 102. and the address for the 
microcode is stored in register 104. The first operation 
40 accepts a password Pi and a number P2 representing the 
concatenation of the program number and diskette serial 
number read from a file header record, and from these input 
parameters, it derives a file key, KF. that is used only by 
the cryptographk; facility to decrypt and encrypted program 
45 for the sole purpose of executing the program. More specifi- 
cally, the program number and diskette serial number, con- 
catenated together, are encrypted under a "bumed in" key 
eKT(TR5678) in encryption bkjck 103 to produce a cipher 
text output Cl. Then, the password is decrypted in block 
50 105 using as a key the cipher text Ci produced by bkjck 
103 to produce cipher text 02 representing the file key, KF. 
The user has no access to the file key; i.e. it is kept secret 
With the smart card, the second operation shown in 
Figure 16 causes a random number T to be generated 
55 inside the cryptographic facility. A special latch 106 in the 
cryptographic facility is also set on as a result of this 
operation. The value of T is generated by the random 
number generator 107 and stored in a T register 108 in the 
cryptographic facility and also presented as an output so 
60 that it can be sent to the smart card. In carrying out the 
computer/smart card together with the parameters Pi - 
(password) and P2 (program number // diskette serial num- 
ber, where // denotes concatenation) and a third parameters 
P3. Where the crypto facility uses the DES algonthm, as 
65 shown in Figures 8 and 9. to encrypt the file key, P3 is the 
computer number. ArternalA^ly, where the crypto facihty 
uses the PK algonthm to encrypt the file key. as shown m 
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Figures 13 and 14. P3 represents the concatenation of the 
public key of the computer. PKt and a non-secret constant 
of suffictent bits which may have a value of zero all decryp- 
ted under the secret key, SKu, of the distribution centre. 

Also with the smart card, a third operation shown in 
Figure 17 accepts a password P4 from the smart card 
provided that the latch 1 06 is set on. Otherwise* the request 
is ignored. From the password P4 and the stored random 
numtjer T in register 108, it derives a file key, KF. that is 
used by the cryptographic facility to decrypt an encrypted 
program for the purpose of only executing that program. 
The decryption algorithm for deriving the file key. KF. may 
be DES or may be PK. The user has no access to the file 
key. After the latch 1 06 has been tested, latch 1 06 is reset 
by operation control unit 102. This ensures that a new 
random numtjer T must be generated before another pass- 
word wilt be accepted by the cryptographic facility via 
another invocation of the third operation and thus prevems 
old passwords from being played back into the crypto- 
graphic facility. Used together, the second and third oper- 
ations are such that they allow an encrypted program to be 
decrypted and executed at any computer with a similarly 
installed cryptographic facility supporting those operations. 
The microcode for the third operation proceeds as follows: 
First latch 106 is tested to see if it is set. If not the 
operation is atxjrted; otherwise, the latch is reset The 
parameter P4 is then decrypted with the "burned in" key 
KT in decryption block 105 to produce the cipher text 
output Cl. This decryption step is performed with the DES 
algorithm using KT = eKT(TR5678) where only DES is 
available as shown in Figure 8 or. with the PK algonthm. 
the decryption step is performed using KT « SKt where 
both DES and PK are available as shown in Figure 13. In 
either case, the resulting cipher text Cl is exclusive ORed 
with the random number T stored in register 108 to produce 
the cipher text C2 representing the file key, KF. 

The register 104 in addition to storing the address for 
the decoded microcode, has three flags denoted D, E and 
P. Up to this point in the description, the operation of the 
cryptographic facility has been to derive the file key that 
can be used to decrypt an encrypted program. As will be 
understood from the foUowir^ description, it is also possible 
for a user to use the file key to encrypt data. The flags D, E 
and P are used to control these operations. The D flag is 
the decryption flag, and the E flag is the encryption flag. 
The cryptographic operations of encipher and decipher data 
are assumed to be such that a cipher operation will be 
performed only if the E flag is tested and found to be set for 
an encipher data operation or if the D flag is tested and 
found to be set for a decipher operation. In addition, before 
decrypted data is directed from the cryptographic facility, 
the cryptographic facility will test the P flag. If the P flag is 
set the decrypted data will be directed to an execute only 
memory in the cryptographic facility; otherwise, the decryp- 
ted data will be directed to the main memory. Thus, in the 
case of the first and third operations described above, the 
microcodes for those operations would in addition set the D 
flag, reset the E flag, and set the P flag. 

In addition to the first three operations, the crypto- 
graphic facility also supports a limited set of general pur- 
pose cryptographic operations. The first of these, referred to 
as the fourth operaton. is similar to the first operation and is 
illustrated in Figure 18. With no smart card, the fourth 
operation accepts user selected parameters Pi and P2. 
which may be any different arbitrary values selected by the 
user. From these parameters, the fourth operation generates 
a file key, KFI, using a different algorithmic procedure than 
that used by the first operation, where KFl is a vanant of 



the file key KF. In the fourth operation, the "burned in" key 
eKT(TR5678) is used to encrypt parameter P2 in encryp- 
tion block 103. The output of the encryption block 103 is 
the cipher text Cl which is used in decryption bkxk 1 05 to 

5 produce the cipher text C2 representing KF. KF is then 
exclusive ORed with the non-zero constant C, to produce 
the variant file key KFl. The key KFl is used only by the 
cryptographic facility to encrypt and decrypt data. The en- 
crypted and decrypted data are under the control of and 

TO accessible to the computer user. In this case, the user has 
a limited encrypt and decrypt feature, except that the pro- 
cess is performed under the control of a key unknown to 
the user of the computer. By remembering the parameters 
Pi and P2, the computer user can decrypt encrypted data 

75 at any later time on his or her computer, or any other 
computer with a similarly installed cryptographic facility sup- 
porting the second and fifth operations, by issuing the 
second operation to generate a new random number T. The 
computer/smart card protocol passes T, Pi, P2. and P3 to 

20 the smart card to generate P4 as shown in Figure 9 or 
Figure 14. 

Then a fifth operation is called for to cause the cryp- 
tographic facility to recover the key KFl from P4, C and the 
stored random number T. Thus, the user cannot migrate the 

25 encrypted data to another computer and decrypt it with the 
same parameters Pi and P2. 

With the smart card, a fifth operation shown in Figure 
19 accepts a password P4 from the smart card provided 
tiiat the latch 106 is set on. Otherwise, the request is 

30 ignored. From this parameter P4. the fifth op>eration gen- 
erates the file key, KFl . using a different algorithmic proce- 
dure than used by the third operation. The password P4 
used in the fifth operation is produced by the smart card, 
using the DES algorithm procedure shown in Figure 9 or 

35 the PK algorithm procedure shown in Figure 14, from 
parameters Pi, P2 and P3 as well as the random number 
T generated t>y the second operation, where PI and P2 are 
user defined parameters and P3 is the computer number 
when the crypto facility uses the DES algorithm to encrypt 

40 KF or P3 is the cryptographic variable eSKu(PKtO) when 
the crypto fadlity uses the PK to encrypt KF. Thus, again 
the user has a limited encrypt and decrypt feature, except 
that the process is performed under the control of a key 
unknown to the user of the computer. By remembering the 

45 parameters Pi and P2. the computer user can decrypt 
encrypted data at any later time on his or her computer, or 
any other computer with a similariy installed cryptographic 
facility supporting the second and fifth operations, by issuing 
the second operation to generate a r>ew random number T. 

50 The computer/smart card protocol passes T, P1 , P2 and P3 
to the smart card to generate P4 as shown in Figure 9 or 
Figure 14. Then a fifth operation is called for to cause the 
cryptographic facility to recover the key KFl from P4, 0 
and the stored random number T. Thus, the user can 

55 migrate the encrypted data to another computer and decrypt 
it with the same parameters Pi and P2. Again, the encryp- 
ted and decrypted data are under the control of and acces- 
sitrie to the computer user. The microcode for the fifth 
operation proceeds as follows: First, latch 106 is tested to 

60 see if it is set on. If it is not the operation is atjorted: 
otherwise, the latch is reset and the input parameter P4 is 
decrypted in decryption block 105 with the "burned in" key 
KT. Where only DES is available. KT = eKT(TR5678). but 
where both DES and PK are available., KT « SKt The 

65 output of the decryption block 105 is the cipher text Ci 
which is exclusive ORed with the random number T stored 
in register 108 to produce the cipher text C2 representing 
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KF. KF is then exclusive ORed with the non-zero constant 
C to produce the vanant file key KFi. The microcode then 
sets the D and E flags and resets the P flag in the register 
104. 

With no smart card, a sixth operation shown in Figure 
20 accepts a user selected password Pi and a number P2. 
which may be any arbitrary values selected by the user, 
and from these numbers, it generates a file key, KF. usjng 
the same algorithmic procedure as used by the first opera- 
tion. The file key is used only by the cryptographic facility to 
encrypt data In this case, the user can encrypt his or her 
own data but not decrypt it Used in conjunction with the 
first operation, the sixth operation allows a user to encrypt 
his or her own programs and store them on diskette or hard 
disk in protected form. The parameters Pi and P2 can also 
be written in the header record of the diskette file or disk 
file. Later, the saved values of Pi and P2 are used as input 
parameters with the first operation to decrypt and execute 
programs. Pi and P2 are such that they pennit the encryp- 
ted program to be decrypted and executed only at the 
computer where the program was originally encrypted, so 
that encrypted programs cannot be migrated to other com- 
puters arxJ executed. The microcode for the sixth operation 
proceeds as follows: First, the parameter P2 is encrypted in 
erxryption block 103 with the "burned in" key eKT- 
(TR5678) to produce the cipher text Ci. The cipher text Ci 
is used in decryption block 105 to decrypt the parameter Pi 
and produce the cipher text C2 representing the file key, 
KF. The microcode sets the E flag and resets the D and P 
flags in register 104. 

With a smart card, a seventh operation shown in 
Figure 21 accepts a password P4 from the smart card 
provided that the latch 106 is set on. Otherwise, the request 
is ignored. From this it generates a file key. KF, using the 
same aigorithmic procedure used by the third operation. 
More specifically, the microcode decrypts the input param- 
eter P4 in decryption block 105 with the "burned in" key 
KT to produce the cipher text Ci. With the DES algorithm 
atone. KT » eKT(TFt5678) is used, or with a PK algorithm, 
KT « SKL The cipher text is then exclusive ORed with the 
random number T stored in register 108 to produce the 
cipher text C2 representing the file key. KF. The microcode 



for the seventh operation also sets the E flag and resets the 
D and P flags in the register 104. in the seventh operation, 
the key KF is used only by the cryptographic facility to 
encrypt data. The user can encrypt his or her own data but 

5 cannot decrypt it The password P4 used in the seventh 
operation is produced by the smart card, using the DES 
algorithm procedure shown in Figure 9 or the PK algorithm 
procedure shown in Figure 14, from the parameters Pi. P2 
arxJ P3 as well as the random number T generated by the 

10 second operation. Pi and P2 are user defined parameters. 
Where the crypto facility uses the DES algorithm, as shown 
in Figures 8 and 9. to encrypt the file key. P3 is the 
computer number. Alternatively, where the crypto facility 
uses the PK algorithm to encrypt the file key. as shown in 

75 Figures 13 arxj 14. P3 represents the concatenation of the 
public key of the computer. PKt and a nonsecret constant 
Of sufficient bits which may have a value of zero ail decryp- 
ted under the secret key. SKu. of the distribution centre. 
Used in conjunctkDn with the second operation, the seventh 

20 operation allows the user to encrypt his or her own pro- 
grams and store them on a diskette or hard disk in pro- 
tected form. The parameters Pi and P2 can also be wntten 
in the header record of the diskette or disk file. Later, the 
computer user can decrypt and execute the program on his 

25 or her computer, or any other computer with a similarty 
Installed cryptographic facility supporting the second and 
third operations, by issuing the second operation to produce 
a new rar>dom number T, passing parameters Pi. P2, P3. 
and T to the smart card and requesang a new value of P4, 

30 and issuing tfie third operation to recover the file key KF in 
the cryptographic facility from the parameter P4 ar>d the 
stored random number T. Thus, the parameters Pi and P2 
are such that they permit an encrypted program to be 
decrypted and executed at other computers supporting the 

35 second and third operations. Because the seventh operation 
does not aikDw decryption under the recovered key KF. it 
cannot be misused by a user to decrypt an encrypted 
program purchased in the usual manner. 

Summarising, the procedures that are available to a 
user of a computer with a cryptographic facility that sup- 
ports the seven operations just described are listed in the 
table below: 
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DES Only, No Smart Card 



18 

Operations 



1. Program Decryption-Execution 

2. File Encryption/Decryption 

3. Program Encryption 



OPl 



0P6 



0P4 



DES Only, With Smart Card 



!• Program Decryption-Execution 
2. File Encryption/Decryption 
3. Program Encryption 



OP2, 0P3 



0P2, 0P7 



0P2, OPS 



DES/PK, With Smart Card 



!• Program Decryption-Execution 

2. File Encryption/Decryption 

3. Program Encryption 



0P2, OP 3 



0P2, OP 7 



0P2, OPS 



While the invention has been particularly shown and 
described with reference to several preferred embodiments 
thereof, it will be understood by those skilled in the art that 
several changes in form and detail may be made without 
departing from the scope of the accompanying claims. 

Claims 



1 . A method of software protection comprising the steps of 
encrypting each protected program of a program offering for 
sale or lease with a unique file key and writing the encryp- 
ted program on a storage medium as a program file, provid- 
ing a computer having a protected memory arxj a cryp- 
tographic facility, with a secret unk^ue cryptographk: key 
identifier, providing a purchaser/lessee (hereinafter, simply 
purchaser) of the storage medium containing the er>crypted 
program with a secret password unique to the particular 
program and said cryptographic key identifier, whereby, 
when said medium is toaded into said computer and said 
secret password is entered thereinto, said program be- 
comes executable after at least a portion of the program 
has been decrypted in said cryptographic facility as a 
function of said secret password. 

2. A method as claimed in claim 1 , wherein, only when the 
program is first k^aded in said computer, performing the 
steps of prompting the user for the secret password, anti in 
response to the input of the secret password by the user, 
writing the password in the header record of the program 
file. 

3. A method as claimed in claim l or claim 2, further 
comprising the step of writing the decrypted program into 
said protected memory from which it can only be executed. 

4. A method as claimed in any preceding claim wherein the 
step of providing the secret password is performed by 
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providing the purchaser of the storage medium containing 
the encrypted program with an authonsation number arxl 
identifying the encrypted program with a program number 
and the storage medium with a storage medium number, 
requesting the purchaser to input the authorisation number, 
the program number, the storage medium number and a 
number identifying said cryptographic key identifier, comput- 
ing from the inputted program number and storage medium 
number an authorisation number, comparing the computer 
authorisation number with the inputted authorisation number, 
providing a key distribution centre with the inputted program 
number, storage medium number and the number identifying 
said cryptographic key identifier if the computed and input- 
ted authonsabon numtiers are the same, otherwise rejecting 
a password request by the purchaser, generating a first key 
as a function of said cryptographic key identifier and then 
encrypting the program number and storage medium num- 
ber concatenated together with said first key to produce a 
second key at the key distribution centre, and encrypting 
the secret file key of the program with sakJ second key to 
produce said password. 

5. A method as claimed in claim 4 further compnsing the 
step of determining if the computer authorisation number 
has been used before, and if it has not then performing the 
step of comparing the computed authorisation number with 
the inputted authorisation number, otherwise rejecting a 
password request by the purchaser. 

6. A method as claimed in claim 4 or claim 5 wherein the 
step of decrypting at least a portion of the program is 
performed by the steps of reading said password, program 
number and storage medium number from said header 
record, encrypting said program number and storage me- 
dium number from said header record, encrypting said 
program number and storage medium number concatenated 
together with a key which is a function of said secret unique 
cryptographic key identifier to produce a decryptkjn key, 
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decrypting said password with said decryption key to pro- 
duce said secret file key. and decrypting the program using 
said secret file key. 

7. A method as claimed in claim i or claim 2, wherein the 
step of providing a computer with a secret unique cryp- 
tographic key identifier is performed by the software or 
computer vendor issuing to the purchaser a smart card 
having said secret unique cryptographic key identifier, said 
smart card interfacing with said computer. 

8. A rr^ethod as claimed in claim 7 wherein the step of 
providing the secret password is performed by the steps of 
providing the purchaser of the storage medium containing 
the encrypted program with an authonsation number artd 
identifying the encrypted program with a program number 
and the storage medium with a storage medium number, 
requesting the purchaser to input the authorisation number, 
a number of the smart card,, the program number and the 
storage medium number, computing an authorisation num- 
ber from the inputted program number and storage medium 
number, comparing the computed authorisation number with 
the inputted authonsation number, and if the computed arKj 
inputted authorisation numbers are the same, providing a 
key distribution centre with the inputted number of the smart 
card, the program number and the storage medium number, 
otherwise rejecting a password request by the purchaser, 
gerterating a card key corresporKling to the inputted card 
number and then encrypting the program number and stor- 
age medium number concatenated together with said card 
key to produce an encryption key at the key distribution 
centre, generating a secret file key corresponding to the 
inputted program number, and encrypting said secret file 
key with said encryption key to produce said password. 

9. A method as claimed in claim 7 or claim 8, wherein the 
step of decrypting at least a portion of the program is 
performed by the steps of supplying the smart card with the 
password, program number and storage medium number, 
encrypting in the smart card the program number and 
storage medium number concatenated together with the key 
of the smart card to produce a decryption key, decrypting 
the password with said decryption key to produce the secret 
file key, and decrypting in the computer at least said portion 
of the program using the secret file key. 

10. A method as claimed in claim 9 further comprising the 
steps of supplying the smart card with a number identifying 
said cryptographic facility, encrypting in the smart card the 
number identifying said cryptographic facility with a univer- 
sal key to produce a computer encryption key, generating in 
the computer a random numt>er and supplying the random 
number to the smart card, exclusive OHing in the smart 
card the secret file key with the random number and 
encrypting the result with said computer encryption key to 
produce an encrypted exclusive ORed output, decrypting in 
the computer the encrypted exclusive ORed output with the 
computer encryption key, and exclusive ORing the decryp- 
ted exclusive ORed output with said random number to 
produce the secret file key, 

n. A method as claimed in claim 10 wherein the steps of 
encTyptk>n m the sman card and decryption in the computer 
are performed using the DES algonthm. 



12. A method as claimed in claim 9 further compnsmg the 
steps providing the computer with a public key, PKt, de- 
crypted under the secret key of a public registry, and also 
providing said cryptographic facility with a conresponding 

5 secret key, SKI providing said smart card with a public key, 
PKu, encrypting in the smart card the computer public key 
decrypted under the secret key of the public registry with 
the card's public key PKu to produce said key PKt. gen- 
erating in the computer a random number and supplying the 

10 rarxJom number to the smart card, exclusive ORing in the 
smart card the secret fite key with the random number and 
encrypting the result with said key PKt to produce an 
encrypted exclusive ORed output decrypting in the com- 
puter the encrypted exclusive ORed output with the key 

75 SKt and exclusive ORing the decrypted exclusive ORed 
output with sa»d random number to produce the secret file 
key. 

13. A method as claimed in ciaim 12 wherein the steps of 
20 encryption and decryption in the smart card and the com- 
puter are performed by selectively using the DES algorithm 
and a publk: key algorithm. 

14. A method as claimed in claim l wherein said cryp- 
25 tographic facility supports encryption and decryption of user 

generated data comprising the steps of accepting a user 
input parameter, and decrypting said user input parameter 
under a key which is a furxmon of said secret unique 
cryptographic key kJentifier to generate a file key for en- 
30 crypting and decrypting said user generated data, 

15. A method as claimed in claim 14 wherein said input 
parameter is input as a first parameter and - a second 
parameter, said step of decrypting compnses the steps of 

35 encrypting said second parameter under said key which 
whrch is a function of said secret unique cryptographic key 
identifier to produce a first cipher text and decrypting said 
first parameter using said first cipher text to produce a 
second cipher text corresponding to a key KF. 

40 

15. A method as claimed in claim 14 further comprising the 
step of exclusive ORing said key KF with a constant to 
produce a key KFl which is used as a file key for encryp- 
ting and decrypting sakJ user generated data. 

45 

16. A method as claimed in ciaim 14 further comprising the 
steps of generating a random numt>er. ar>d exclusive ORing 
said random number with the decrypted user input param- 
eter to produce a key KF and exclusive ORing said key KF 

50 with a constant to produce a key KFi wh«h is used for 
encrypting and decryptir^g user generated data 

17. A method as claimed in ciaim 14 wherein said cryp- 
tographic facility supports encryption of user generated data 

55 comprising the steps of encrypting user generated data 
under said file key, decrypting user generated data by the 
steps of accepting tf>e user input parameter m the form of a 
first parameter and a secorxJ parameter, encrypting said 
second parameter with said key which is a function of said 

60 secret unique cryptographic key identifier to produce a 
decryption key, decrypting said first parameter with said 
decryptkan key to produce a key KF related to said fite key. 
and decrypting said user generated data using said file key. 

65 
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@ Method of software protection. 



R6. 



@ A cryptograpllic method for discouraging the 
copying and sharing of purchased software pro- 
grams allows an encrypted program to be run on 
only a designated computer or, alternatively, to be 
run on any computer but only by the user possess- 
ing a designated smart card. Each program offering 
sold by the software vendor is encrypted with a 
unique file key and then written on a diskette. A user 
who purchases a diskette having written thereon an 
encrypted program must first obtain a secret pass- 
word from the software vendor. This password will 
allow the encrypted program to be recovered at a 
2P''^sc''i^^^> designated computer having a properly 
^implemented and initialised encryption feature. The 
^encryption feature decrypts the file key of the pro- 
^gram from the password, and when the encrypted ^ 
program is loaded at the proper computer, the pro- 
gram or a portion of it is automatically decrypted 
and written into a protected memory from which it 
can only be executed and not accessed for non- 
O execution purposes. In alternative embodiments, the 
Causer is not confined to a prescribed, designated 
III computer but may use the program on other, dif- 
ferent computers with a smart card provided the 
computers have a properly implemented and in- 



itialised encryption feature that accepts the smart 
card- As a further modification, the cryptographic 
facility may support operations that enable the user 
to encrypt and decrypt user generated files and/or 
user generated programs. 
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